MINOR: ssl: add the ssl_bc_sni sample fetch function to retrieve backend SNI

Sometimes in order to debug certain difficult situations it can be useful
to know what SNI was configured on a connection going to a server, for
example to match it against what the server saw or to detect cases where
a server would route on SNI instead of Host. This sample fetch function
simply retrieves the SNI configured on the backend connection, if any.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 4583653d970f174f67e565d14651858d698a19ca..64314d78974ba6f0193c6494ccae04377d039083 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -24111,6 +24111,7 @@ ssl_bc_server_random                               binary
 ssl_bc_server_traffic_secret_0                     string
 ssl_bc_session_id                                  binary
 ssl_bc_session_key                                 binary
+ssl_bc_sni                                         string
 ssl_bc_unique_id                                   binary
 ssl_bc_use_keysize                                 integer
 ssl_c_ca_err                                       integer
@@ -24442,6 +24443,13 @@ ssl_bc_session_key : binary
   traffic sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or
   BoringSSL. It can be used in a tcp-check or an http-check ruleset.
 
+ssl_bc_sni : string
+  This retrieves the Server Name Indication TLS extension (SNI) field that was
+  used on the connection to the server. The result (when present) typically is
+  a string matching the HTTPS host name (253 chars or less). The main use case
+  is for logging and debugging purposes (e.g. figure what SNI was used when the
+  connection was established to match it against what the server has seen).
+
 ssl_bc_unique_id : binary
   When the outgoing connection was made over an SSL/TLS transport layer,
   returns the TLS unique ID as defined in RFC5929 section 3. The unique id

diff --git a/src/ssl_sample.c b/src/ssl_sample.c
index defa913abae7698535e3af3a2a730b8809b241fa..c64522d240f89c58a944a2812745415cee5a08f7 100644 (file)
--- a/src/ssl_sample.c
+++ b/src/ssl_sample.c
@@ -1818,6 +1818,7 @@ smp_fetch_ssl_fc_session_key(const struct arg *args, struct sample *smp, const c
 }
 #endif
 
+/* ssl_fc_sni and ssl_bc_sni */
 static int
 smp_fetch_ssl_fc_sni(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
@@ -1828,7 +1829,12 @@ smp_fetch_ssl_fc_sni(const struct arg *args, struct sample *smp, const char *kw,
        smp->flags = SMP_F_VOL_SESS | SMP_F_CONST;
        smp->data.type = SMP_T_STR;
 
-       conn = objt_conn(smp->sess->origin);
+       if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
+               conn = (kw[4] == 'b') ? sc_conn(__objt_check(smp->sess->origin)->sc) : NULL;
+       else
+               conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
+                       smp->strm ? sc_conn(smp->strm->scb) : NULL;
+
        ssl = ssl_sock_get_ssl_object(conn);
        if (!ssl)
                return 0;
@@ -2472,6 +2478,7 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, {
 #endif
        { "ssl_bc_err",             smp_fetch_ssl_fc_err,         0,                   NULL,    SMP_T_SINT, SMP_USE_L5SRV },
        { "ssl_bc_err_str",         smp_fetch_ssl_fc_err_str,     0,                   NULL,    SMP_T_STR,  SMP_USE_L5SRV },
+       { "ssl_bc_sni",             smp_fetch_ssl_fc_sni,         0,                   NULL,    SMP_T_STR,  SMP_USE_L5SRV },
        { "ssl_c_ca_err",           smp_fetch_ssl_c_ca_err,       0,                   NULL,    SMP_T_SINT, SMP_USE_L5CLI },
        { "ssl_c_ca_err_depth",     smp_fetch_ssl_c_ca_err_depth, 0,                   NULL,    SMP_T_SINT, SMP_USE_L5CLI },
        { "ssl_c_der",              smp_fetch_ssl_x_der,          0,                   NULL,    SMP_T_BIN,  SMP_USE_L5CLI },